# A filter to block random test attacks on my server
#
# Matches e.g.
# put some new matches here


#
[Definition]

bashfragments_generic = \(\) \{ :;\};|\(\) \{ :; \};|\(\) \{.*\};
bashfragments_2 = /bin/bash -|bash -

## starting with shellshock
failregex = ^<HOST> -.* "(?:%(bashfragments_generic)s)|(?:%(bashfragments_2)s)
			^<HOST> .* "(POST|HEAD|GET) /tmUnblock.cgi
			## admin attacks
			^<HOST> .* "(POST|HEAD|GET) /administrator/
			^<HOST> .* "(POST|HEAD|GET) .*/administrator/
			^<HOST> .* "(POST|HEAD|GET) /admin/
			^<HOST> .* "(POST|HEAD|GET) .*/admin/
			^<HOST> .* "(POST|HEAD|GET) /manager/
			^<HOST> .* "(POST|HEAD|GET) /dbadmin/
			^<HOST> .* "(POST|HEAD|GET) /pma
			^<HOST> .* "(POST|HEAD|GET) /phpMyAdmin/

			## wordpress attacks
			^<HOST> .* "(POST|HEAD|GET) /wordpress/
			^<HOST> .* "(POST|HEAD|GET) /wp/
			^<HOST> .* "(POST|HEAD|GET) .*/wp-admin/
			^<HOST> .* "(POST|HEAD|GET) .*wp-login.php

			## cgi attacks
			^<HOST> .* "(POST|HEAD|GET) /cgi-bin/
			^<HOST> .* "(POST|HEAD|GET) /cgi-mod/
			^<HOST> .* "(POST|HEAD|GET) /cgi-sys/
			^<HOST> .* "(POST|HEAD|GET) /sys-cgi/
			^<HOST> .* "(POST|HEAD|GET) /cgi-bin.*

			## generic attacks
			^<HOST> .* "(POST|HEAD|GET) .*setup.php
			^<HOST> .* "(POST|HEAD|GET) .*login.php
			^<HOST> .* "(POST|HEAD|GET) .*admin.php
			^<HOST> .* "(POST|HEAD|GET) /login/
			^<HOST> .* "(POST|HEAD|GET) /script
			^<HOST> .* "(POST|HEAD|GET) /phppath/
			^<HOST> .* "(POST|HEAD|GET) .*/install/

			## misc attacks I havelogged
			^<HOST> .* "(POST|HEAD|GET) /muieblackcat
			^<HOST> .* "(POST|HEAD|GET) /themes/elastixneo/ie.css
			^<HOST> .* "(POST|HEAD|GET) /docs/funcspecs/3.jsp
			^<HOST> .* "(POST|HEAD|GET) /a2billing/
			^<HOST> .* "(POST|HEAD|GET) /user/soapCaller.bs
			^<HOST> .* "(POST|HEAD|GET) /w00tw00t.*
			^<HOST> .* "(POST|HEAD|GET) /HNAP1/
			^<HOST> .* "(POST|HEAD|GET) /rom-0
			^<HOST> .* "(POST|HEAD|GET) /hndUnblock.cgi
			^<HOST> .* "(POST|HEAD|GET) /checkout/
			## This should block binary?
			^<HOST> .* "\S*\\x
			^<HOST> .* "(POST|HEAD|GET) /.ssh
			^<HOST> .* "(POST|HEAD|GET) /.git
			^<HOST> .* "(POST|HEAD|GET) /Ringing.at.your.dorbell
			^<HOST> .* "PROPFIND
			^<HOST> .* "CONNECT
			^<HOST> .* "PUT
			^<HOST> .* "(POST|HEAD|GET) /_asterisk
			^<HOST> .* ""
			^<HOST> .* "quit"
			^<HOST> .* "(POST|HEAD|GET) /server-status
			#^<HOST> .* "(POST|HEAD|GET) 
			#^<HOST> .* "(POST|HEAD|GET) 
			#^<HOST> .* "(POST|HEAD|GET) 
			#^<HOST> .* "(POST|HEAD|GET) 
			#^<HOST> .* "(POST|HEAD|GET) 

ignoreregex = ^<HOST> .* "(POST|HEAD|GET) /irpg/.*
              ^<HOST> .* "(POST|HEAD|GET) /ttrss/.*
              ^<HOST> .* "(POST|HEAD|GET) /s/.*


### (GET|POST|HEAD)

              ## shell shock:
              ## bashfragh*
              ## /tmUnblock.cgi
